Slashdot Mirror
Microsoft Sued for Defective Software
Door-opening Fascist writes "eWeek is reporting that a South Korean citizen action group, People's Solidarity for Participatory Democracy, is suing Microsoft for putting the SQL Slammer vulnerability into Windows. They are doing so on behalf of the South Korean people and businesses affected by SQL Slammer."
Shut up and patch your systems like the rest of the planet.
Software isn't a physical thing so it's impossible to make it bug-free.
You knew about this vulnerability for months, there was a patch for it, and you did nothing about it."
Pick a defense, any defense...
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Let it be noted that Microsoft already had SQL SP3 out which fixed the problem before it ever occurred. PSPD should try using a vulnerability that could actually hold water in court like Code Red or it's dirivative, or any other Word ActiveX open-execution macro vulernability.
Opponents of open source frequently argue that proprietary products are better then open source because "you can sue somebody".
Here somebody is suing MS. Let's see how that works out.
War is necrophilia.
If they expect governments to enforce the overzealous EULAs, and to insinuate the product has real monetary value and it should be criminal to misuse it, then they should be liable for its actions. The door swings both ways. To use the ridiculous but relevant car analogy, check out Ford/Firestone with the tire recall, they hat to eat a big huge monetary crap-sandwich to make up for that. They also have to provide parts for cars for 5 years after they sell them, by law, and they must also be subject to anti-lemon and consumer protection law.
While I don't foresee Microsoft getting chastised, lambasted and castigated as it should be here in the US where being a rich company has many, many benefits, I do see an opportunity for Microsoft to have to be held accountable for its actions in the EU and Asia. Also in Asian countries the logic is: If you expect me not to pirate this, it better do something good.
I hope this teaches Microsoft that the venue by which they made the 40 billion they have sitting in the bank is us, the victims of pre-installs on new PCs (I believe 80% of the MSFT revenue is from pre-install), we should get a piece of that if we are wronged by the software.
There is a huge disparity between what is claimed on the glossy box and what is delivered in reality, and the consumer needs to be protected from fraud and fiscal liability due to product failure.
It applies to every other business. Software should be the same.
Also, EULAs claim the license isn't transferable and resalable, I content that this means it then has no value. No one can tell you you can't sell your used car.
Legalize the constitution. Think for yourself question authority.
If this goes through, it could set a precedent of liability for software bugs... that's bad, of course.
Here's an interesting thought: maybe closed source software could be hit harder by this because keeping the source closed could be considered hiding the vulnerability? IANAL, of course.
Another thing - aren't there liability issues for engineers in other fields as well - like holding a bridge engineer accountable if the whole thing falls down? Of course, a software bug isn't quite that serious, but still...
Anyway there is a very important point about *incidents* like this : they get people's attention about the completly crazy EULAs that some SW companies (namely Micosoft) and content providers (RIAA/Hollywood mob) are currently imposing to they 're costumers ...
imposing a bit of regulation about the limits of what could be put in a EULA is IMHO a very good think ...
if the ppl who launched this lawsuit make the
Cheers from Portugal
Except MS has the same wording in their license.
Michael Loves Me!
(I am not a Korean laywer)
Does anybody know if the click-through license is worth a rat's ass in Korea? Does Korean law give the plantifs an edge that they wouldn't have in the US? Any Korean laywers out there?
Actually, even tho Microsoft had a patch available for the SQL vulnerability months before Slammer hit, a subsequent patch re-opened the vulnerability. Maybe their techs did all the patches when they were released.
I don't believe they ignored the problem or didn't fix it. IIRC they had a patch out 6 months beforehand.
You want to sue someone, sue the sysadmins who
A) Didn't patch
B) Left MS SQL right out on the open internet
C) In short didn't do their jobs.
If you're running MS products it might not be by choice, but there is no excuse for not being aware of patches and the state of your firewall. They were all probably too busy rebooting Windows desktops to have time, but still.
-- taking over the world, we are.
why boxes at Microsoft were not patched against SQL Slammer. Do they sue themselves, fire the admin or simply replace the servers with free software?
Friends don't help friends install M$ junk.
I'm also wondering if/how many of the copies of Windows that precipitated in Slammer were legal. Asia is notorious for its pirated software problems. Not that I'm insinuating anything but Microsoft might be able to say "Well a lot of the machines were illegal anyway therefore in breach of our support. I'm sorry but we can't be held accountable for criminal use blah blah blah-"
Possible?
What is music when you despise all sound?
--didn't think of that one. If software isn't a product, then what is it?
I am not sure on the entire liability issue right this second, but comes a time that any "industry" needs to come to grips with reality, and I think that time will be soon probably. Computers and the software to run them have had decades now to get established and to come out of thier "honeymoon" stage, with the EULA "get out of jail free" cards. the hardware is warrantied. The software sure needs something.
There needs to be some sort of consumer protection and warranty. Eventually there will have to be, it's about inevitable. Everything else man made has one. If that means much less "new" is released and a lot more "improved", I'm all for it. If it means less variety but better quality, I am all for it. If it means that "paid for-sale" software with a warranty gets so expensive that "free" dominates with a shareware and volunteer concept, I'm all for it. and I see that as an EXACT dividing line, it's for sale, it needs a warranty, if it's a "freebie, here try this, see if you like it" type deal, it doesn't need a warranty. I think that is fair and rational.
OR, wait until a few more worms or whatever hit all one day, the mother of all net shutdowns, and have the government force something down your throat that is beyond a warranty into planned, controlled, licensed.
As an aside, can you imagine the first major software vendor TO offer a warranty? How much of a marketing edge would that be, given they had really done their auditing and were actually confident their offering was decent enough to offer the warranty? I think they would get uberrich, well deserved cash for superior outstanding coding efforts. I know some custom stuff does, but anything major mass market? Does it even exist yet? I honestly don't know, but myself as joe consumer, I might just be tempted to purchase an OS offering like that, and pay much serious cash for it.
First, if Microsoft's EULA already prevents them from being sued, software is as-is, why do they release patches in the first place?
This isn't a question about whether or not a user can sue, but a more basic matter of accountability and responsibility. These are the most fundamental issues in selling anything to the public.
Microsoft is responsible for this snafu, but they have never been held accountable. Their bugs, their glitches, their crashes. Its become a running joke with techies. It shouldn't.
When Slammer first hit, people said installing the patches required taking down the servers, running several patches, and praying it still worked. No garunatees about anything. What's the justification? Time wasn't available. Who could afford to do this? How high was it on MS list of things that had to be done?
But no one is mentioning those same arguments now. Its South Korea's fault for not doing the updates.
As I recall weren't the patches buggy enough to cause another major security hole?
We know Microsoft is responsible. We know who should be held accountable. But MS throws in a disclaimer and all is good. The disclaimer is not a silver bullet. There must be accountability for faulty software, no matter who wrote it.
Will it stifle open source development? Probably scare off crap coders is what it will do. If everyone working together reviews, checks, and verifies, they are going to catch most of the bugs before it goes out the door. The remaining bugs are fixed with patches.
I honestly don't see anything wrong with suing them. The EULA is not a catch all. The EULA should be thrown out, and rewritten. Users have the right to hold developers accountable.
Its about time someone figure out how.
But that's a bad analogy, too. Failing to lock a lock is not the same thing as failing to patch a server. Failing to lock your lock (or, to use an automotive equivalent to keep things consistent, leaving your keys in the ignition) is like failing to change the default password on a server- a basic thing that's an inherent part of the job. Patching a server is more like taking your car in as part of a safety recall.
Both cars with safetly defects and servers with vulnerabilities represent errors on the part of the maker that put the user in danger, and you can draw some strong additional analogies about the process of getting the product fixed. In both cases, for instance, the process of getting everything fixed can take some time- time for the problem to come to light, for the maker to figure out a solution, for users to be notified of the problem, and for the fix to be applied. The balance of liability shifts between maker and user as you progress through the process. If a user gets hurt by a previously unknown problem, you have a strong case for the maker's liability for selling a defective product. The longer the fix has been available, though, the more it becomes the user's responsibility to have the problem corrected. If a Pinto was damaged by fire a year after Ford issued a safety recall, or a MS user is burned by a vulnerability six months after the patch was made public, it is the user's fault for failing to have a needed fix applied.
There's no point in questioning authority if you aren't going to listen to the answers.
Not trying to say that this thing will go anywhere, but... Shrink-wrap agreements which you have the ability to read only AFTER a purchase holds no water in most counties. AFAIK, these kinds of agreements haven't been proven to bear any legal value in the US either.
Point is, hiding some whishful text, which the consumer can not see, inside a purchased product can not dictate any kind of restriction or other whishful commitment on the customer's part.
- Give me all you money!
- Why?
- You're wearing a shirt which on the inside, just beside the laudry tag states "Any wearer of this shirt agrees to give all their money to whom ever asks for it".
'ts Stupid.
In a society that believes in nothing, fear becomes the only agenda ~ Bill Durodié
Ok, fine, that's not what I'm worried about. I'm worried about how this will affect the closed source that I develop. You know, the kind that I get paid to write? You mean a customer can now sue me or the company I work for, even though they insisted on having the software completed in an unreasonable amount of time without testing, and put it into production well before it was ready for that? Wonderful.
--Drunk as in Beer
"haven't noticed the NO WARRANTEE blurb in the MS EULA."
On the other hand, Microsoft software is "leased (not sold)," which means any damage done was done by Microsoft property.
If there is any legal eagles in the audience, what is the precedent involving a seriously defective car that causes injury/death/damage? This defect would have a notice sent out somewhere/somehow offering the capacity to take the car back to the shop and replace the defective part, but the user either didn't know or didn't follow through with the effort involved.
This seems to be what this software has done: there was a defect and a capacity for a customer to do work to fix it, they didn't do it, and damage resulted.
Any cases like this with products in the automotive area, and did they favour the defendant or the plantiff?
Best wishes,
Robert
-----
Cast a Cold Eye
On Life, on Death
Horseman, pass by
--W.B. Yeats' gravestone
I don't see this as a valid lawsuit. Microsoft had relesaed a patch for the vulnerability that slammer uses months before the worm showed up.
the eWeek article is refering to this Chosun Ilbo article in a Korean daily newspaper. The lawsuit is part of the 3 way lawsuit against the South Korean Information Minister, ISPs, and the South Korean division of Microsoft. Again this is the SOUTH KOREAN division of Microsoft for failing to inform Korean ISPs of the patch and its signifigance. These are people and businesses who were knocked off the grid for days and had nothign to do with microsoft's licensing. Thus a class action lawsuit. The idiot poster makes it sound completelly different.
Yes there was a patch out BUT it couldn't be installed on a great deal of systems without some serious hacking, something which Microsoft ADMITTED TO. It actually broke some installations. Not the kind of thing you want to be responsible for as a BOFH on a SQL Server serving 10,000's of users.
Conor "You're not married,you haven't got a girlfriend and you've never seen Star Trek? Good Lord!" - Patrick Stewart
I recall from my business law class that workers once sued a company who manufactured a type of machine they used at work. The machine had a steel casing around it to prevent people from accessing the moving parts. I don't recall how exactly, but part of the casing was removed by the workers and replaced with a cardboard box (perhaps for easy access), and one day, someone was walking on top of the huge machine and stepped on the cardboard covering. Their leg went right through it, of course, and they lost their leg in the gears below. They sued -- not their company, but the manufacturer of the machine for not clearly labeling that removing the casing (or replacing it w/ another material) could be a safety hazard & WON!!! Do I agree with the ruling personally? no... but, there is an implied contract that states that the manufacturer has a duty to warn the buyer of potential safety hazards. The metal casing was assumed to be protection enough, but there was no warning to the customer that removing it while in operation might be unsafe, thus... they were liable.
I could forsee a case against Microsoft for not giving advice for proper protection against viruses (such as putting up a firewall, using anti-virus software, not opening e-mail attachments from people you don't know & never opening an executable (bat, exe, com, vbs) without knowing exactly what it is, etc. Of course, you couldn't win any damages for physical pain and suffering, but perhaps monetary compensation for work, money, and/or computers lost due to their negligence in warning a user.
hmm... I'd have to ask a lawyer about that b/c it could be considered "common sense" in the computing age, but... hey... if you can win a few million for spilling hot coffee on yourself from a fast-food place, who knows?!?!? ;-)
yet if your car was to suddenly veer off the road from a known defect you'd expect the auto company to deal with it! Driving the car down the road doesn't generally cause the wheels to just 'fall-off'! That is the issue with MS.
Maytag repair guys are what 100,000-to-1 with their insalled base? even doctors are about 100-200-to-1. yet PCs are supposed to be 10 or 20-to-1 for admins. It's a crock! If any other business system was this terrible, it would be bankrupt in a year! And MS only answer is that the admin should run around and babysit the system? They offer automated updates, then again blame the admin for not "testing". You all check the gas quality going in your car before you fill up right. Or, you consult medical texts after going to the doctor just to be sure he called your illness right.
I'm sorry, this stuff should just work. Compaies have invested 10 years and billions of dollars into windows and it still doesn't just work! Billy designed the system so that MS had 'plausable deniability' After all, they don't make hardware [not their fault], or drivers [not their fault], or systems [oems didn't test, not our fault], or software [sure we have Secret APIs but not their fault], they pretend to train admins [but not their fault if admin shamans don't dance right], and of course users because they make the computer do "stuff" MS might not have planned! [if MS did plan it, they'd charge more!] They have no techincal support without outrageous fees [Linux cost is mostly support--and you can afford to use it!] Well, it's basicly like OSS only costs more. They offer the same package of benifits!
That said, I don't think a lawsuit is the way to go either. We're trying to get rid of stupid IP laws, not tie ourselves to them more! If the liability cost of software goes up, then free software will die a horrible death. We're not sophisticated enough to have software "building codes" yet and license "Software Accountants" to set them up. Even then without 100% control of a system, you just can't have that kind of liability...Then again, maybe that's what MS wants [OK we know they want it] total control of the systems and your wallets!
This is a good point, and might make something good come of what otherwise sounds like a ludicrous lawsuit. If retaining "ownership" of the software, and only "licensing" it to us, makes software companies liable for bugs, maybe they'll start letting us actually buy the stuff we pay for.
Not bloody likely, though. This lawsuit is being brought in South Korea, so that even if they win, the precedent doesn't really apply over here (here being U.S. in my case).
I found the meaning of life the other day, but I had write-only access.
Sidebar from an article on Slammer in the Feb.3, 2003 issue, page 12:
... it's only with Service Pack 3 that it became easy to install".
"...many IT departments did not install the initial patch because installation could not be scripted. Instead, DBAs were required to manually stop each instance of the software running in their organizations, rename or remove some files, and paste the patch files into each instance
~REZ~ #43301. Who'd fake being me anyway?
Certainly until this comes to court (wherever), it will be pretty hard to tell what this really is about. However, in looking at the PSPD web page about this lawsuit, it appears to me as if it is claiming damage to all Korean Internet users caused by the MS bug (hard to dispute), and the crux of the question the court will have to decide is whether MS was negligent in allowing the bug to be released. The claim is that by negligently allowing the bug to escape Redmond in the first place, MS shares responosibility in the consequential damages that ensued.
All these comments about EULA, and whether a product was purchased, and you get what you pay for, and Open Software has no warranty, etc. are not relevant.
If MS released software into the wild which caused widespread actual loss to Internet-connected systems and their owners, whether or not those owners were MS customers, then is MS liable for those damages?
Starts to sound like going after the author of a virus/worm. The boundary between the actual virus/worm which exploits a security flaw and the ubiquitous system which contains the flaw gets very fuzzy in the eyes of a lawyer who might be able to prove negligence.
Of course, IANAL (sounds pr0n-like, doesn't it?), but I wonder about ambulance-chasing or its equivalent, and definitely view it with mixed emotions. No matter how much I might side with the plaintiffs in this case.
In theory, practice and theory are the same. In practice, they rarely are.
No, it's more like if Ford made a defect in the locking system where there is another hole right below the keyhole, and if you stick a pencil in it, the door pops open. No key needed. Who is more stupid? The company who made a car with such a stupid design flaw, the idiot who bought a car with stupid defects and stupid design flaws, or the idiot who thinks it's fun to abuse the situation and go joyriding in everyone's cars?
I'm so sick of you MS bootlickers (yes, that's exactly what you are).
MS SQL has 11% marketshare (according to MS themselves), yet the only mass-infection hit it and not somebody else. Coincidence?
IIS runs only 25% (and sinking) of webservers, yet ALL mass-infections so far hit it and none Apache which runs over 60%.
It's a fact that MS software comes with a higher risk than anything else. No system is perfectly secure, true, but if you really think that MS software is equally secure as anything else, especially GPL software, then you are living in a dreamworld.